Microsoft Patches Fix IE, Sony Flaws 174
An anonymous reader writes "Microsoft issued two security updates today, one of which fixes at least four flaws in its Internet Explorer browser, including one for which an exploit was released over Thanksgiving that is now being used by a handful of porn sites to install spyware, etc. According to Washingtonpost.com, the IE patch also removes a component left behind by a patch from Sony BMG designed to remove some of the more dangerous features of anti-piracy software installed by Sony BMG music CDs. Researchers found that the Sony patch changed settings in IE so that any Web site could install software on those machines."
two wrongs (Score:5, Funny)
Re:two wrongs (Score:2)
turning over a new leaf for new years resolution early?
-nB
Re:two wrongs (Score:2, Insightful)
Well, I've been enjoying playing games on my M$ box for years now, so unless I've totally overlooked a whole Linux-gaming world, then that can't be the 1st thing they've done right. Yes, M$ sucks for servers, browsing, anything needing security, etc... but I need a M$ box if I want to enjoy any games at home.
Sorry, but this needs to be ranted about, because I could be done with M$ forever if only the last piece of the puzzle was taken care of... and that's gamin
Re:two wrongs (Score:3, Informative)
Long Story short: Nivdia and ATI's are the roadblocks in this area. They're linux drivers are half-assed and they will not release information for their their graphics cards so that a an open source driver can be written.
Re:two wrongs (Score:2)
The reason there is not a strong gaming community for *nix is because there aren't enough games. There aren't enough games because there isn't a strong gaming community. Catch 22.
Re:two wrongs (Score:2)
They're linux drivers are half-assed
Please pay more attention so we can avoid this useless posting in the future.
Re:two wrongs (Score:2, Informative)
IMO, there's nothing is wrong with a closed commercial driver as long as the people writing the drivers didn't make it so you need to jump through hoops to get it installed. And then not fix bugs and not implement some basic features in the drivers.
I would say tha
Re:two wrongs (Score:2)
Re:two wrongs (Score:2, Interesting)
So they're keeping the ball in their own court. BFD. The drivers work just fine. I've been using both since the days they came out. They fucking work, and they work JUST the same as the Windows drivers do (and yes, ATI is a bitch in that area, extrapolate that, you whore). They're not flawless, nothing is. But they work as expected. If it weren't for
Re:two wrongs (Score:2)
Re:two wrongs (Score:3, Funny)
Never choose the lesser of two evils because that's the one that will lose.
Re:two wrongs (Score:2, Funny)
Re:two wrongs (Score:2)
Re:two wrongs (Score:4, Funny)
Re:two wrongs (Score:3, Funny)
Now this is very interesting... (Score:3, Interesting)
So according to these researchers, one could logically assume that it is indeed not as much of Microsoft's fault for lots of viruses and spyware people have been getting over the last year or so, but more of Sony's fault for bad DRM software opening holes in people's browsers?
It's just funny, Microsoft's claims that '3rd party software is to blame' and 'Windows is fine' is finally
Re:Now this is very interesting... (Score:4, Interesting)
It has always been true, just not helpful. Sony's rootkit is not functionally different from Hacker Defender or any other '3rd party' rootkit. A product which works in the lab, but not in the field is still a failure.
Re:Now this is very interesting... (Score:2, Insightful)
...still waiting for service pack ZONKZonk-1.0... (Score:2, Funny)
Re:...still waiting for service pack ZONKZonk-1.0. (Score:2, Insightful)
Re:...still waiting for service pack ZONKZonk-1.0. (Score:2)
Yes, I know Taco started the site and is user #1. It's nice to know that he still cares after such a long time.
Re:...still waiting for service pack ZONKZonk-1.0. (Score:2)
Re:...still waiting for service pack ZONKZonk-1.0. (Score:5, Interesting)
You can disable Zonk right there -- his posts will never reach your browser again. (This is compatible with all web browsers I've tested, though you have to enable cookies. But then cookies are such delicious delicacies, you have to wonder why anyone would want to disable them other than being on a diet.)
There's only one problem, though: This patch requires you to register with Slashdot. One wonders how responsible it is to require personal information (I hear they actually want a username and a password! At least you can use a throw-away email address) in order to use this valuable functionality.
This is bizarre (Score:4, Funny)
Re:This is bizarre (Score:5, Funny)
I think you mispelled "chairs".
(sorry, couldn't resist
This is what to expect (Score:3, Funny)
I think you misspelled "chairs".
That's "stool."
Re:This is bizarre (Score:2)
If there's a single word that the aspiring grammar Nazi should be able to spell upside down and backwards, in their sleep, and rot13'd, it's "misspelled."
Re:This is bizarre (Score:5, Insightful)
Re:This is bizarre (Score:5, Insightful)
Who has just invested millions in the launch of a games console, and who is the current leader in that arena?
Re:This is bizarre (Score:4, Funny)
<flamebait type="fanboy"> ...Nintendo? </flamebait>
Re:This is bizarre (Score:2)
Heh, I was waiting for that one
Re:This is bizarre (Score:2)
Plus, you know, actual console sales.
Re:Knightdom (Score:2)
Re:Knightdom (Score:3, Funny)
Actually, it gets better (Score:5, Interesting)
I submitted an article about this a few weeks ago, it was rejected for some reason. Probably too many Sony stories already.
Yes, MSRT removes F4I (Score:4, Informative)
"WinNT/F4IRootkit is a kernel-mode rootkit used for copy protection on certain Sony BMG audio CDs. There are several versions of this rootkit. The rootkit hides certain Windows system resources, including files, processes, and registry settings. The rootkit can be used by attackers to hide malicious content on the computer." -Microsoft
http://www.microsoft.com/security/malwareremove/fa milies.mspx [microsoft.com]
http://www.microsoft.com/security/encyclopedia/det ails.aspx?name=WinNT%2FF4IRootkit [microsoft.com]
Re:Actually, it gets better (Score:2)
Nah, heck, I can't get enough of it. I've been laughing my ass off through the whole Sony saga. I'm thinking it would be great to cut up into half-hour episodes and show on Nick-at-Nite five years down the road.
The title is left as an exercise for the witty Slashdotter.
Thank you Sony... (Score:2, Interesting)
Re:Thank you Sony... (Score:5, Funny)
Thanks Sony for making my system vulnerable (Score:2, Insightful)
Re:Thanks Sony for making my system vulnerable (Score:1)
That does it. Hand over your Geek Card(TM).
Re:Thanks Sony for making my system vulnerable (Score:2)
Re:Thanks Sony for making my system vulnerable (Score:2)
Re:Thanks Sony for making my system vulnerable (Score:4, Insightful)
Re:Thanks Sony for making my system vulnerable (Score:2)
By definition, DRM breaks or causes problems in other systems. If it doesn't do so, it fails to meet its requirements.
Sony (Score:5, Informative)
Re:Sony (Score:2)
Seems Mediamax made the fatal mistake of setting out their entire scheme in an SEC filing.
Now that the cat is out of the bag, any company making a CD or DVD may try this.
As a consumer I just ceased purchasing all media with software on it, this includes USB anything and CD, DVD. I will resume purchases when I see "DRM Free" labels on them. I would suggest everyone do the same. If enough people do, the industry will recoil.
ahhhh... (Score:4, Funny)
The Good, The Bad, and The Stupid (Score:5, Insightful)
If Microsoft waits for the patch cycle, slashdotters complain Microsoft is purposely holding out so that they can sell anti-virus
And normal computer users, they don't patch so it really does matter
Re:The Good, The Bad, and The Stupid (Score:4, Insightful)
If Microsoft released patches right away and didn't have a history of patches that broke everything and introduced more holes... people would complain less.
Re:The Good, The Bad, and The Stupid (Score:4, Insightful)
Perhaps a corollary of the complaint is that Microsoft seems to have enough money that they could afford some QA on their code. Considering their exploits result in crippling the economy [cnn.com], a little responsibility doesn't seem like a lot to ask.
No one can write software that's 100% bug free, but they could get a lot closer to 100% than this.
Re:The Good, The Bad, and The Stupid (Score:2)
Users of the Windows operating systems reported sluggish machines and computers that quit or rebooted for no reason.
How could they tell the difference?
Re:The Good, The Bad, and The Stupid (Score:2)
If the system administrators don't like installing and testing the patches that often, they can accumulate patches and install them all at once according to their own internal corporate five-year update/patch/test cycle.
Let's see...
Strange (Score:4, Interesting)
Re:Strange (Score:5, Informative)
Pretty much. It installs poorly coded filters on the CD drives - if installed in the middle of an IO you could get a blue screen. Mark discussed this in detail.
Much safer to remove during reboot otherwise you'd hear screams of, "The patch BSOD'd my computer!"
Re:Strange (Score:5, Informative)
(All from memory of reports here, don't shoot me if the terminology is wrong)
it's just an anti sony move (Score:3, Insightful)
After the HD DVD delay and the xbox failure in Japan, MS needed to do some anti sony PR to make it up in their little war against Sony.
Re:it's just an anti sony move (Score:3, Funny)
Re:it's just an anti sony move (Score:2)
I think I know how (Score:2)
apt-get remove media-max
Re:I think I know how (Score:2)
I like the other one better (Score:3, Funny)
"Install this update to prevent or resolve an issue in which Windows Update and Automatic Updates can no longer download updates after an Access Violation error occurs when using the Automatic Updates service. After you install this item, you may have to restart your computer."
Sweet irony. At least that's refreshing from the attacker that could compromise my computer - I'm really tired of this guy.
How come I *may* have to restart my computer - haven't you tried it on one of your box beforehand or do you really have no clue?
Re:I like the other one better (Score:2)
Re:I like the other one better (Score:2)
Is this a regression? XP has that issue out of the box (before they fixed it I was always having to reinstall after windows update broke) but that was ages ago.
Darn it! (Score:5, Funny)
Oh, wait... this is a different Microsoft vs. Sony hissy fit?
Blu Ray (Score:5, Insightful)
It would be ironic if somebody at Sony who was worried about selling a few copies of a country-western CD ended up jeopardizing a billion dollar market.
Wow, should MS be sued under the DMCA? (Score:5, Interesting)
So, since MS is keeping Sony from installing their "DRM" spy^H^H^Hsoftware, you can say they are circumventing Sony's DRM software, PLAINLY against the DMCA. The only question is.....who do we cheer for when evil sues evil over evil with evil laws?
-mix
Re:Wow, should MS be sued under the DMCA? (Score:2)
Or maybe they'll just make some agreement that benefits both parties and be done with it, but hey, i can dream
Re:Wow, should MS be sued under the DMCA? (Score:2)
I mean, Mediamax was certified by Microsoft, I'd be surprised if there wasn't correspondence between the two before the Rootkit was imprinted on those CDs. Or at least a thorough review by Sony BMG legal.
Re:Wow, should MS be sued under the DMCA? (Score:2)
This whole fiasco SHOULD have sony backed into the far corner of their cage, with their tail tucked so firmly in its a very effective chastity belt.
Funny part is, all those cd's marked copy protected? Wally World hasn't pulled a single title off their music racks, nosiree bub.
Re:Wow, should MS be sued under the DMCA? (Score:2)
They didn't. They just made it slow, vulnerable and crash-prone.
Lawsuits (Score:2)
Re:Lawsuits (Score:2)
The EFF and New York apparently have filed their own lawsuits, but I don't have links.
Where is everyone? (Score:3, Funny)
This has got to be a first.
Exams (Score:2)
This IS news! (Score:2, Funny)
And, the gratuitous open-source post:
There was a browser security issue and Sony could install a root-kit? Weird, never even noticed.
Re:This IS news! (Score:2)
Re:This IS news! (Score:2)
who gets the bill (Score:3, Insightful)
Odd problems (Score:3, Interesting)
Like, best way to explain it, you can launch IE and it will go to your home page, however, when you type a URL in the address bar it opens up a new window as if you pressed ctrl-n and typed it in there?
Also rears its ugly head if you have another browser set as default. Type in say, 'www.sosdg.org' in the URL bar of IE, and it opens up Mozilla/K-Meleon/Firefox instead of just opening in the open window of IE?
I've seen this behavior on two XP Home machines, while a third was perfectly fine (all running SP2)
Re:Odd problems (Score:4, Funny)
Sounds like the security fix I've been hoping for a while
Re:Odd problems (Score:2)
However, I did field a call from one of my users who only uses IE (trust me, I tried to change them over to firefox or opera, but that was a wasted effort), so I'd really like to figure out what got broke exactly.
Re:Odd problems (Score:2)
Re:Odd problems (Score:2)
From my blog [sosdg.org]:
With help and ideas from an MS guy, I've managed to narrow down the bug which is causing the issue.
The version of browseui.dll (6.0.2900.2802) from the 905915 update is the culprit.
If you disable WFP, reboot with the recovery console, and replace it with browseui.dll (6.0.2900.2753 from previous update, probably 896688 IIRC), then reboot again, behavior will return back to no
OMGWTFBBQ???!!!!11!! (Score:5, Funny)
> that any Web site could install software on those machines."
Wait. So, Sony is setting IE back to its default security settings?
That hardly seems newsworthy.
Re:I don't get it (Score:4, Informative)
Re:I don't get it (Score:1)
Re:I don't get it (Score:3, Insightful)
One of the biggest complaints about Windows security is that it's hard to not run as administrator because so many programs require it to install, yet this is a guaranteed "feature" of Linux: WTF?
Re:I don't get it (Score:2)
You have this wrong on both ends.
First, the big problem with windows is not that you have to be an Administrator to install software. The problem is that you have to be one to use it. Lots of software doesn't actually work properly, once installed, if you are not an admin. Other software doesn't work if yo
Re:I don't get it (Score:3, Interesting)
That is however only true for source, binaries under Linux have quite often their location hardcoded, moving them to a different directory is impossible without either ugly hacks (hex editor) or less ugly hacks (envirorment variables, command line parameter, etc.). Binarie
Re:I don't get it (Score:2)
You can move an application any where you want and it is likely it will not complain. Delete a user... no complaints. It asks you for a root password when you install software or make system changes and that is about it.
Re:I don't get it (Score:2)
2. It's technically an admin (user is member of sudoers) password, not a root password. Some few drivers must be installed from an admin account (Xerox/EFI, I'm looking in your direction).
3. Better than "no complaints" when you delete a user, the system will offer to create an image of the deleted homedirectory and place it in
Re:I don't get it (Score:3, Informative)
That's not true for any of the package systems I've used. Sure, you can do it if you download the source (or a binary tgz, etc), but the majority of users (as opposed to admins) won't be doing that.
Re:I don't get it (Score:3, Informative)
Re:I don't get it (Score:3, Insightful)
Yes, there are a lot of sucky developers who make windows apps. There are also plenty of sucky developers working on *nix software. I've installed plenty of stuff off sourceforge that was badly written.
This is a developer issue, not a windows issue.
Re:I don't get it (Score:3, Insightful)
Package installation probably should have a warning like old newsreaders had:
"Please be sure you know what you are doing."
In fact, any software installation should have it. Some malware gets on Windows machines instantly through Outlook or IE exploits, but great deal of it gets there because non-tech-savvy users see a "Click OK to install the UltraCoolSlickLinksToolBar plugin" dialog and don't know the d
Re:I don't get it (Score:2)
Re:I don't get it (Score:2)
Re:I don't get it (Score:2)
About the only significant things a Power User cannot do by default are "Security Account Manager"-related. That is, a Power User cannot create new users, remove other users, delegate rights, etc. on the local the machine. Also, a Power User cannot typically do a fe
Re:I don't get it (Score:2, Insightful)